Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM _ Captive portal drop to VLAN CoA

  • 1.  CPPM _ Captive portal drop to VLAN CoA

    Posted Jan 08, 2021 11:07 AM
    Hi All,

    I would like to pick your brain on following topic.

    Setup MM-MD.
    MM Single VM
    MD 2x 7205 in L2 cluster
    All on 8.7.0.0 code.

    CPPM single VM on 6.9.1. (Entry Licence)

    We are in the middle of deploying network for Educational institution and requirement is to have 2 SSID's. One for "Trusted internal" devices and other and for "Guest and student BYOD devices".

    The First SSID is mac-auth and is working 100%. Devices, depending on endpoint descriptions are dropped to different vlan.

    Second SSID "Guest" is using CPPM CaptivePortal with mac caching. We aim to design it as follows:

    User connects, gets IP in VLAN 666, captive portal redirect occurs and user is prompted for their Guest Credentials. From here we want to have two scenarios:

    1) If your "Guest role ID" = 2 ( [Guest]) you are kept in VLAN 666 and have internet access only.
    2) If your "Guest role ID" = 3001 "StudentWiFi" you are dropped to vlan 340, which has access to internal network and AirGroup Servers and also has Deep Packet Inspection performed by our Firewalls.

    While option 1 is working 100%, option two will not work automatically as the CoA "Aruba Wireless - Bounce Switch port" is passed onto Aruba Controller, but user does not drop. As a result user keeps IP of the VLAN 666.

    If I take the device, connect to different SSID and connect back to Guest, Mac caching kicks in and user is dropped to correct VLAN 340. Same happens if I issue CoA manually in CPPM, disable and enable WiFi and user connects to Guest on vlan 340.

    Is what we are trying to do achievable with CPPM and MM-MD setup?

    Any help and thoughts on this are greatly appreciated.

    Thanks, Martin


  • 2.  RE: CPPM _ Captive portal drop to VLAN CoA

    Posted Jan 08, 2021 03:40 PM
    do you have a error with COA ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 3.  RE: CPPM _ Captive portal drop to VLAN CoA

    Posted Jan 08, 2021 04:56 PM
    If what you want is to kick the wireless user off and have them reconnect, try the  [ArubaOS Wireless - Terminate Session] instead of [Aruba Wireless - Bounce Switch Port].


    [Aruba Wireless - Bounce Switch Port] looks like it will actually shut/no shut the physical port on the controller.  If that's where your AP is plugged in it will cause your AP to bounce.


    ------------------------------
    Michael Wood
    ------------------------------



  • 4.  RE: CPPM _ Captive portal drop to VLAN CoA

    Posted Jan 11, 2021 04:07 AM
    To add to that: Please note that depending on the client, it will or will not do a new DHCP request after the client is 'terminate session'.

    Changing VLAN with a captive portal can be unreliable because of this, and where possible try to keep the VLAN (thus IP) the same and only change the role.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: CPPM _ Captive portal drop to VLAN CoA

    Posted Jan 18, 2021 10:42 AM
    Hi All,

    thank you for all above answers. As Herman says, it does work, but not on all devices. Since the VLAN requirement is absolute must for the client, I've advised the client that they might need to reconnect manually to get into the correct VLAN and luckily they are ok. So thank you all for your help. This is only issue during the first authentication process. Every other authentication process is done per mac-auth, which drops the user to correct VLAN without any problems.

    Best Regards,

    Martin

    ------------------------------
    Martin Tucek
    ------------------------------



  • 6.  RE: CPPM _ Captive portal drop to VLAN CoA

    Posted Jan 22, 2021 11:37 AM
    Hi,

    On your web login, In your login method, you should use controller initiated. It means installed a captive portal certificate on your wireless controller (has to be different than the ClearPass one).

    Cheers

    ------------------------------
    Julien B
    ACEX #90
    ------------------------------